143 lines
No EOL
5 KiB
Text
143 lines
No EOL
5 KiB
Text
Advisory: Endeca Latitude Cross-Site Request Forgery
|
|
|
|
RedTeam Pentesting discovered a Cross-Site Request Forgery (CSRF)
|
|
vulnerability in Endeca Latitude. Using this vulnerability, an attacker
|
|
might be able to change several different settings of the Endeca
|
|
Latitude instance or disable it entirely.
|
|
|
|
|
|
Details
|
|
=======
|
|
|
|
Product: Endeca Latitude
|
|
Affected Versions: 2.2.2, potentially others
|
|
Fixed Versions: N/A
|
|
Vulnerability Type: Cross-Site Request Forgery
|
|
Security Risk: low
|
|
Vendor URL: N/A
|
|
Vendor Status: decided not to fix
|
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-002
|
|
Advisory Status: published
|
|
CVE: CVE-2014-2399
|
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2399
|
|
|
|
|
|
Introduction
|
|
============
|
|
|
|
Endeca Latitude is an enterprise data discovery platform for advanced,
|
|
yet intuitive, exploration and analysis of complex and varied data.
|
|
Information is loaded from disparate source systems and stored in a
|
|
faceted data model that dynamically supports changing data. This
|
|
integrated and enriched data is made available for search, discovery,
|
|
and analysis via interactive and configurable applications.
|
|
|
|
(from the vendor's homepage)
|
|
|
|
|
|
More Details
|
|
============
|
|
|
|
Endeca Latitude offers administrators the ability to perform different
|
|
administrative and configuration operations by accessing URLs.
|
|
These URLs are not secured by a randomly generated token and therefore
|
|
are prone to Cross-Site Request Forgery attacks.
|
|
|
|
For example by accessing the URL http://example.com/admin?op=exit an
|
|
administrator can shut down the Endeca Latitude instance. Several other
|
|
URLs exist (as documented at [1] and [2]) which can be used to trigger
|
|
operations such as flushing cashes or changing the logging settings.
|
|
|
|
|
|
Proof of Concept
|
|
================
|
|
|
|
An attacker might prepare a website, which can trigger arbitrary
|
|
functionality (see [1] and [2]) of an Endeca Latitude instance if
|
|
someone opens the attacker's website in a browser that can reach Endeca
|
|
Latitude. An easy way to implement this is to embed a hidden image into
|
|
an arbitrary website which uses the corresponding URL as its source:
|
|
|
|
<img src="http://example.com/admin?op=exit" style="display:hidden" />
|
|
<img src="http://example.com/config?op=log-disable" style="display:hidden" />
|
|
[...]
|
|
|
|
|
|
Workaround
|
|
==========
|
|
|
|
The vendor did not update the vulnerable software, but recommends to
|
|
configure all installations to require mutual authentication using TLS
|
|
certificates for both servers and clients, while discouraging users from
|
|
installing said client certificates in browsers.
|
|
|
|
|
|
Fix
|
|
===
|
|
|
|
Not available. The vendor did not update the vulnerable software to
|
|
remedy this issue.
|
|
|
|
|
|
Security Risk
|
|
=============
|
|
|
|
The vulnerability can enable attackers to be able to interact with an
|
|
Endeca Latitude instance in different ways. Possible attacks include the
|
|
changing of settings as well as denying service by shutting down a
|
|
running instance. Attackers mainly benefit from this vulnerability if
|
|
the instance is not already available to them, but for example only to
|
|
restricted IP addresses or after authentication. Since this makes it
|
|
harder to identify potential target systems and the attack mainly allows
|
|
to disturb the service until it is re-started, the risk of this
|
|
vulnerability is considered to be low.
|
|
|
|
|
|
Timeline
|
|
========
|
|
|
|
2013-10-06 Vulnerability identified
|
|
2013-10-08 Customer approved disclosure to vendor
|
|
2013-10-15 Vendor notified
|
|
2013-10-17 Vendor responded that investigation/fixing is in progress
|
|
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
|
|
CPU
|
|
2014-03-13 Vendor responded with additional information about a
|
|
potential workaround
|
|
2014-04-15 Vendor releases Critical Patch Update Advisory with little
|
|
information on the proposed fix
|
|
2014-04-16 More information requested from vendor
|
|
2014-05-02 Vendor responds with updated information
|
|
2014-06-25 Advisory released
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20administrative%20operations
|
|
[2] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20supported%20logging%20variables
|
|
|
|
|
|
RedTeam Pentesting GmbH
|
|
=======================
|
|
|
|
RedTeam Pentesting offers individual penetration tests, short pentests,
|
|
performed by a team of specialised IT-security experts. Hereby, security
|
|
weaknesses in company networks or products are uncovered and can be
|
|
fixed immediately.
|
|
|
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
|
share its knowledge and enhance the public knowledge with research in
|
|
security related areas. The results are made available as public
|
|
security advisories.
|
|
|
|
More information about RedTeam Pentesting can be found at
|
|
https://www.redteam-pentesting.de.
|
|
|
|
|
|
--
|
|
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
|
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
|
52068 Aachen https://www.redteam-pentesting.de
|
|
Germany Registergericht: Aachen HRB 14004
|
|
Geschäftsführer: Patrick Hof, Jens Liebchen |